With the advent of modern web browsers flagging all non-HTTPS web traffic as “not secure”, I have a few tips on what to do if you are running a website. Google announced the change some months ago, and Mozilla is following suit with their key products also.

If you are running a website, and you don’t run HTTPS and don’t enforce HTTPS by default, this affects you.

You need to fix it.

Modern web browsers typically upgrade themselves automatically. As such, all of your users will soon receive warnings that show your HTTP website as being “not secure”. They are going to complain.

What are HTTP and HTTPS?

HTTPS is a secure, encrypted version of the original HTTP protocol, instigated by Tim Berners-Lee. When he started developing the world wide web in the early 1990s, the security of the transmission of the data wasn’t considered too important.

Not many people were on the internet, and most of the people who were were considered “trustworthy”.

This has changed – and the switch to HTTPS – which basically takes HTTP, and wraps it up in an encrypted stream of data designed to prevent snooping of the traffic as it crosses the internet is absolutely the “new black” of the internet.

One of the biggest barriers to HTTPS uptake has been the cost of obtaining SSL certificates. They can and do cost several hundreds of dollars for certificates that expire – (typically) – every two years. Such costs are prohibitive for many people, particularly bloggers and small businesses who can’t justify that cost.

The solution?

The arrival of Let’s Encrypt has sparked a massive surge in the uptake of HTTPS by websites, and now more than half of the webpages on the internet are available using HTTPS. This is a huge win for internet users, keeping their communications encrypted and secure when browsing sites with HTTPS switched on.

And because their certificates are free, the barriers holding many people up from making the switch are mostly gone. They do expire every 90 days, but most web hosting companies have embraced them, and have automated mechanisms for the renewal of the certificates without human intervention.

What should I do?

If you are hosting and managing your website on your own servers, you probably have the smarts to use Let’s Encrypt to set up the certificates and make the necessary changes to the configuration of your web server yourself. Follow the information in their documentation.

If you are hosting your website on the servers of the company you are working for, contact your local systems administrators and seek their assistance.

If you are hosting your website on the servers of a web hosting company, contact their service desk team and seek their assistance.

An Important Mistake Not To Make

I recently got into an (somewhat heated) online discussion about the right and wrong ways to implement HTTPS. A common mistake I have seen is where the HTTP content of the website and the secured HTTPS content is served from the same document root.

This is bad.

Even if you move to HTTPS, and your content is still available via HTTP, people can still be directed to your site via HTTP. Old links to your site from someone else’s site can send your visitor via HTTP. This leaves them using HTTP for their entire visit.

Ensure that you ONLY serve your content via HTTPS. Point the “HTTP version” of your website to a different document root. From that document root, redirect all HTTP requests to the HTTPS document root.

Here’s how I do it – (note that this is for an Apache web server with PHP):

This serves to send every single request, regardless of the full URL to the file “index.php”. This file should contain the following (inside normal PHP start and finish tags):
@header("Location: https://michaelwyres.com.au".$_SERVER['REQUEST_URI']."",TRUE,301);

This will ensure that all requests to “http://michaelwyres.com.au/whatever-url/” are picked up and sent to “https://michaelwyres.com.au/whatever-url/”, including pages that do not exist.

In this way, if inbound links are still listing HTTP, or your visitor explicitly requests HTTP, it will be trapped and dumped to the HTTPS version of your site. It becomes impossible for people to browse your content using HTTP.

On the surface, this seems like a good idea – get to work in the morning a little earlier, get home in the evening a little earlier. Move freight a little faster.

Trouble is, this thought bubble doesn’t seem to have materialised by way of much thought.

As someone who drives this section of road every morning to work, and every evening home again, I got to asking myself how much time would this change really save?

The Liberal Nationals team have consulted with the community in the Geelong region and the overwhelming feedback is to return the Princes Freeway from Werribee to the Corio intersection back to a 110 km/h speed limit.

The section of road in question between Werribee and the Corio intersection – (where the Geelong Ring Road begins) – is 34km long.

At 100km/h – (the current speed limit) – you are travelling at 27.7778 metres per second, meaning you cover the 34km in 1223 seconds – (34,000 metres / 27.7778) – or 20 minutes and 23 seconds.

So the difference between 100km/h and 110km/h over the section in question is:

110 seconds, or;

1 minute and 50 seconds, or;

Bugger all.

Presuming you travel each direction each day – (like most Geelong commuters) – you’re saving yourself a paltry 3 minutes and 40 seconds in your day.

Pretty pointless, right?

What would I do with 3 minutes and 40 seconds extra in my day? How much can I actually do with 220 seconds of my time?

Once again, bugger all.

How else could I make up this 3 minutes and 40 seconds if I really needed it?

Perhaps I could leave for work in the morning 3 minutes and 40 seconds earlier? Or do I go to bed 3 minutes and 40 seconds later at night?

Do I split the difference and leave 1 minute and 50 seconds earlier in the morning, and leave work 1 minute and 50 seconds later in the afternoon?

Fact is because I drive this road every day, I know for a fact that the people who want to travel at 110km/h are already doing it. If the limit is raised, now they’ll do 120km/h instead, leading to obvious safety concerns. Faster speed, longer stopping distances.

If you’re going to raise the speed limit for the sake of 220 seconds extra in your day, you’re not being sensible.

Like much of what comes out of the thought bubbles our politicians offer us, this just hasn’t been thought through very well – if at all.

It’s just a populist piece of thinking designed to attract a few extra votes.

To be fair, that doesn’t mean it has been gone as such – (my old site archive is still running) – but I’ve not done much writing in the last few years. There’s a bunch of different reasons for that – some life changes have meant I’ve had other priorities.

In getting things back up and running, I’ve made a few technical changes. Firstly, I’m using my Australian-based domain now – (michaelwyres.com.au, as opposed to the more generic michaelwyres.com), and I’ve switched to HTTPS.

Because everyone should.

Obviously, there’s also a new look and feel too – something more modern after about 8 or 9 years with my old theme. Something much brighter, I’m sure you’ll agree.

I’ll be starting to post very soon – (I have a couple of posts in the works) – so lookout!